Category Archives: Cisco

Recently I’ve been building my first ACI installation. We’re doing it on our own and I’m reaching out to TAC and a key friend for help if I get stuck on anything that googling doesn’t solve. It’s been going pretty well actually and have only run into a few snags (which I will document here in other posts).

Our plan for this first build is to make a few critical things work properly and then blow the whole thing away and rebuild it using as much scripting as possible. It’s a great way to learn new tech.

One of our final tasks was to get authentication working and our systems team would love to move as many things to SSO/SAML as possible, so that was the thing to implement on the ACI admin pages. Here’s the problem we’ve had: you need to return a specific value for “CiscoAVPair” and man, it’s hard to find documentation that isn’t all screwed up on the format, because it matters…A LOT.

First off the variable name is “CiscoAVPair” (no quotes). NOT “ciscoAVpair” or “CiscoAVpair” or “CiscoAvPair” or “Cisco-avpair” I’ve found documents (yes, from Cisco) with all those different capitalization.

Second thing is the value of the string:

shell:domains=all/admin/

No spaces and make sure to get that slash in at the end. “all” is the security domain and “admin” is the role.

Here’s a great “gotcha” we ran into, maybe google will save somebody else this headache:

Two nexus 5k’s with a vpc-peer link between them. Each of them was getting a 2k connected with two fex ports. The first 2k comes up with no problems. The second 2k says “link not connected.” Of course we assume that the 2k either has an sfp instead of fex or there’s a physical cable problem. Nope.

Both 5k’s were using the same port-channel number (in this case 101). Going into the second 5k and removing port-channel 101 and building port-channel 1101 (keeping the same fex info) causes the interfaces to immediately come up.

Cisco, I understand that there are going to be weird things that come up with new architectures, but this works on 7k’s. Also, “link not connected” is totally the wrong interface status to show here. Maybe an err-disabled or something would be much more appropriate.

I was trying to upgrade and configure our 1010s before installing them in the rack and was banging my head on the desk trying to figure out why they wouldn’t boot after I dropped a config in. Apparently the control network needs to be up in order for the primary system to even boot once it’s configured…so yeah…watch out for that.

Just so everybody knows, when the documentation over at cisco.com says you can’t mix modules for VPC links they only say that you can’t mix F and M series. What they don’t tell you is that you can’t mix M modules either. We recently had an M1 series module fail and tried to move one of the port-channel links to an M2 module, the command fails when you try to add the interface to the channel-group.

Why isn’t that in the same document that says you can’t mix F and M series? I have no idea. TAC told me that you can mix M modules for regular port-channels, but the VPC peer-link requires that they be the same model.

At least when I took it all you really needed was GNS3 and some books.

There are some great videos out there too. I don’t often plug pay sites (they’ve given me nothing…promise), but cbtnuggets.com has a guy named Jemery Cioara that is becoming something of a legend in the networking community. I don’t think I’ve spoken to somebody in the network world who hasn’t seen his CCNA/CCNP series done for cbtnuggets. I did, they helped a lot with some concept stuff. Don’t think that only watching the videos will give you everything you need. There’s still that pesky memorization stuff that they throw on the exams that you can only really get out of a book, but they’re a great start.
As for GNS3 all you really need to use is a 3725 router and add different switch modules (right click on the router when it’s in the topology and Configure > Slots…add serial or switch modules from there). If you get the correct image for the 3725 you can run all the protocols covered on the exams (even IS-IS and IPv6).

I liked to come up with scenarios that were a bit more real-world based. I mean, when was the last time anybody got onto a new job to find that everything was standardized and perfectly efficient? So when putting together some of the networks for redistribution exercises or switching networks for STP practice think to yourself “How would a network look if 3 different engineers had different budgets and priorities?” Then build that.

Pretend there are some old models kicking around that don’t support newer protocols (or just haven’t been upgraded in years).

Pretend that a project was started to migrate to a different IGP, but was never completed because somebody left.

I know I had a mental block when looking at some scenarios. I would think to myself “Why in the world would this ever happen?” It happens. More often than you’d like. Most of the people I talk to lately are working on projects to fix what has happened in the past…so there will be some migration plans that look dirty, but are needed because you can’t get to the whole network in one maintenance window. So, the “why” doesn’t matter anymore, just that it “has.”

Basically, it comes down to this: when you change the hardware mtu on cisco stuff IOS automagically configures the IP mtu to the hardware mtu + 24 bytes (18bytes for the ethernet header plus some pad for layer 2 or other goodies). Juniper doesn’t make that change for you. So if you change the hardware mtu, you need to set the IP mtu up as well.

2) Scripts in Excel, Access, whatever other program you like to use

Looking back I should have done this next task in Access where I get to use sql commands, but everybody has Excel, so this seemed like a better choice should I get hit by a bus or something.

I’m not a professional programmer. I know I do things that are not necessarily correct or pretty. I have a tendency to use functions instead of subs because I like to use the return value of the function during debug. I’m sure I have other bad programming habits that would drive some people crazy, but at the end of the day I can get the job done and make my life easier when the day of a change comes.

Here’s some code that takes a log file, dumps it into a new sheet with a timestamp and then pulls the vlan info I need, Vlan ID, Root Bridge, and any blocking ports into an existing sheet. It will do this for Cisco IOS switches, CatOS switches, and JunOS switches.

‘WS is current worksheet and opens a new sheet at the beginning of the run
‘I might need to move this to the functions that import the files….
Dim WS As Worksheet
Set WS = Sheets.Add
‘get the log file to parse
filePath = Application.GetOpenFilename

‘chop out the routerid from the filepath
‘this assumes that the filename is the router-id
RouterId = GetFilenameFromPath(filePath)
RouterId = Left(RouterId, Len(RouterId) – 4)

‘so the output of a couple of switches changes with the version. some didn’t have a > others did…quick fix below
If RouterId = “switch3” Or RouterId = “switch4” Then
RouterId = RouterId & “>”
End If

End Sub
________________________________________________________________________
Function GetFilenameFromPath(ByVal strPath As String) As String
‘ Returns the rightmost characters of a string upto but not including the rightmost ‘\’
‘ e.g. ‘c:\winnt\win.ini’ returns ‘win.ini’

____________________________________________________________________________________________________
Function WriteToExcel(StrArray)
‘takes the array output from ImportFile and writes it into the current sheet starting at A1
Dim counter As Integer
Dim cellname As String

ReDim Preserve DRCells(counter)
If Not rFnd Is Nothing Then
DRCells(counter) = rFnd.Address
Else
DRCells(counter) = ” ”
End If

Next counter
‘now I have 1:1 arrays with the vlan number and DR…at least I should
throwaway = MsgBox(“These should match and be one more than the count from the SecureCRT script” & vbCrLf & UBound(showVlancells) & vbCrLf & UBound(DRCells), vbOKOnly)
‘now I need to get all the blocking ports
ReDim BlockingCells(UBound(showVlancells), 4)
For counter = 1 To UBound(showVlancells)
searchString = “blocking”
If counter = UBound(showVlancells) Then
rowCounter = showVlancells(counter) & “:A” & Lastcell
Else
rowCounter = showVlancells(counter) & “:” & showVlancells(counter + 1)
End If

ReDim Preserve DRCells(counter)
‘ios output isn’t formatted friendly for this kind of search so I need to increment the drcells up one
If Not rFnd Is Nothing Then
Set rFnd = rFnd.Offset(1, 0)
DRCells(counter) = rFnd.Address
Else
DRCells(counter) = ” ”
End If

Next counter
‘now I have 1:1 arrays with the vlan number and DR…at least I should
throwaway = MsgBox(“These should match and be one more than the count from the SecureCRT script” & vbCrLf & UBound(showVlancells) & vbCrLf & UBound(DRCells), vbOKOnly)

‘ ————————————————————————————————————–
‘ FindAll – To find all instances of the1 given string and return the row numbers.
‘ If there are not any matches the function will return false
‘ ————————————————————————————————————–

‘ ————————————————————————————————————–
‘ FindAll – To find all instances of the1 given string and return the row numbers.
‘ If there are not any matches the function will return false
‘ ————————————————————————————————————–

Set rFnd = sheetname.Range(rowCounter).Find(What:=searchString, LookIn:=xlValues, LookAt:=xlPart)
If Not rFnd Is Nothing Then
rFirstAddress = rFnd.Address
Do Until rFnd Is Nothing
iArr = iArr + 1
‘ ReDim Preserve ARTemp(iArr) ‘this may need to come back later
ARTemp(iArr) = rFnd.Address ‘ rFnd.Row ‘ Store the Row where the text is found
Set rFnd = sheetname.Range(rowCounter).FindNext(rFnd)
If rFnd.Address = rFirstAddress Then Exit Do ‘ Do not allow wrapped search
Loop

In a previous post I talked about documentation and planning for a change, but what can we do to really shorten the time it takes to implement and verify a change?

Scripting.

If we script things out ahead of time we don’t have to use our valuable time during a change window to type things out. Plus we get to check, double-check, test, and debug all ahead of time to make sure things go how we want them to.

Here are a couple of scripts I’ve used lately to help me get info that I need quickly and format it so that it’s easier to look at.

1) Scripts in SecureCRT.

If you don’t own SecureCRT go buy it. You can try to get everything done in putty, but a good terminal program will take you to a new level.

You can use several different scripting languages to help you out here. You can do simple things like have it type commands for you, or complex things like read outputs and make decisions based on what comes out on the terminal. It’s great for data entry type tasks that are horribly repetitive but sill need to get done.

This is an example of a script I put together to go through and enter a show command for a list of vlans on a CatOS switch. It’s sloppy from a code perspective, but it was fast and gets the job done. (I’m working in VBScript in this case)
#$Language=”VBScript”
#$Interface=”1.0″
Sub Main
Dim counter
‘generic counter variable
Dim Arraysize
Dim RouterID
arr_VlanSet = Array(“1”, “2”, …keep listing your vlans here)
‘sloppy way to populate the vlanset…you can pull this from another file or whatever, but that’s more effort
‘than I wanted to put into this simple script
‘Creates a linear array for holding list of vlans
Arraysize = UBound(arr_VlanSet)
counter = MsgBox(Arraysize, vbOKOnly)
RouterID = “hostname of device goes here”
crt.Screen.Synchronous = True
For counter = 0 To Arraysize

crt.Screen.Send “show spantree ” & arr_vlanset(counter) & vbCr
if crt.screen.WaitForString(“–More”, 1) then
crt.Screen.Send ” ”
end if
if crt.screen.WaitForString(“–More”, 1) then
crt.Screen.Send ” ”
end if
if crt.screen.WaitForString(“–More”, 1) then
crt.Screen.Send ” ”
end if

crt.Screen.Send ” ” & vbCr

crt.screen.WaitForString(RouterID)

Next
End Sub
Remember, these are supposed to save you time on the day, so you don’t need to be elegant in the code. This goes through my list of vlans, put in the command, waits to see if a space needs to be entered (it does this 3 times) and then goes on to the next command. If you have longer output than 3 screens it’ll wait for you to put in a keystroke manually instead of just going and missing a command.